What is claimed is: 



1 1 . A system for identifying a macro virus family using a macro virus 

2 definitions database, comprising: 

3 a macro virus definitions database comprising a set of indices and macro 

4 virus definition data files with each index referencing one or more of the macro 

5 virus definition data files and each macro virus definition data file defining macro 

6 virus attributes for known macro viruses, the sets of the indices and the macro 

7 virus definition data files being organized according to macro virus families in 

8 each respective index and macro virus definition data file set; 

9 a macro virus checker comparing a suspect string to the macro virus 

1 0 attributes defined in the one or more macro virus definition data files for each 

1 1 macro virus family in the macro virus definitions database and determining each 

12 macro virus family to which the suspect string belongs from the index for each 

1 3 macro virus definition data file at least partially containing the suspect string. 

1 2. A system according to Claim 1, further comprising: 

2 the macro virus definition data files being indexed into the macro virus 

3 families categorized by a replication method employed. 

1 3 . A system according to Claim 1 , wherein the suspect string 

2 comprises part of a suspect file comprising a plurality of individual suspect 

3 strings. 

1 4. A system according to Claim 3, further comprising: 

2 the macro virus checker identifying a replication method substantially 

3 common to a plurality of the individual suspect strings in the suspect file. 

1 5. A system according to Claim 4, further comprising: 

2 the macro virus checker identifying the macro virus family by which the 

3 common replication method is indexed. 

1 6. A system according to Claim 1, further comprising: 
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2 the macro virus definitions database storing string constants common to 

3 each macro virus family in the macro virus attributes for the macro virus 

4 definition data files; and 

5 the macro virus checker comparing the suspect string to the string 

6 constants in the one or more macro virus definition data files for each macro virus 

7 family. 

1 7. A system according to Claim 6, further comprising: 

2 a parameter specifying a threshold to matches of commonly shared string 

3 constants. 

1 8. A system according to Claim 6, further comprising: 

2 a parameter specifying a minimum length of commonly shared string 

3 constants. 

1 9. A system according to Claim 1 , further comprising: 

2 the macro virus definitions database storing source code text common to 

3 each macro virus family in the macro virus attributes for the macro virus 

4 definition data files; and 

5 the macro virus checker comparing the suspect string to the source code 

6 text in the one or more macro virus definition data files for each macro virus 

7 family. 

1 10. A system according to Claim 9, further comprising: 

2 a parameter specifying a threshold to matches of commonly shared source 

3 code text. 

1 1 1 . A system according to Claim 9, further comprising: 

2 a set of keywords used in the stored source code text to identify each 

3 replication method employed. 

1 12. A system according to Claim 1 , further comprising: 

2 the macro virus checker resetting the index referencing one or more of the 

3 macro virus definition data files for at least one macro virus family and creating a 
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4 new macro virus definition data file entry comprising an index referencing one or 

5 more macro virus definition files. 



1 1 3 . A system according to Claim 1 2, further comprising: 

2 the new macro virus definition data file entry defining the macro virus 

3 attributes by storing at least one of a string constant and source code text. 

1 14. A system according to Claim 1 , further comprising: 

2 the macro virus checker parsing macro virus attributes from one or more 

3 file objects and analyzing the macro virus definition data files by index for each 

4 macro virus family. 

1 15. A system according to Claim 14, further comprising: 

2 the macro virus checker cross referencing at least one of a string constant 

3 and source code text from the parsed macro file attributes against the macro virus 

4 attributes defined in the virus definition data files. 

1 16. A system according to Claim 1, further comprising: 

2 the macro virus checker iteratively retrieving each macro virus definition 

3 data file using the index for each macro virus family and providing the macro 

4 virus attributes defined in the retrieved macro virus definition data file. 

1 1 7. A method for identifying a macro virus family using a macro virus 

2 definitions database, comprising: 

3 maintaining a macro virus definitions database comprising a set of indices 

4 and macro virus definition data files with each index referencing one or more of 

5 the macro virus definition data files and each macro virus definition data file 

6 defining macro virus attributes for known macro viruses; 

7 organizing the sets of the indices and the macro virus definition data files 

8 according to macro virus families in each respective index and macro virus 

9 definition data file set; 
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10 comparing a suspect string to the macro virus attributes defined in the one 

11 or more macro virus definition data files for each macro virus family in the macro 

12 virus definitions database; and 

1 3 determining each macro virus family to which the suspect string belongs 

14 from the index for each macro virus definition data file at least partially 

1 5 containing the suspect string. 

1 1 8 . A method according to Claim 1 7, further comprising: 

2 indexing the macro virus definition data files into the macro virus families 

3 categorized by a replication method employed. 

1 19. A method according to Claim 17, further comprising: 

2 providing the suspect string as part of a suspect file comprising a plurality 

3 of individual suspect strings. 

1 20. A method according to Claim 19, further comprising: 

2 identifying a replication method substantially common to a plurality of the 

3 individual suspect strings in the suspect file. 

1 2 1 . A method according to Claim 20, further comprising: 

2 identifying the macro virus family by which the common replication 

3 method is indexed. 

1 22. A method according to Claim 17, further comprising: 

2 storing string constants common to each macro virus family in the macro 

3 virus attributes for the macro virus definition data files; and 

4 comparing the suspect string to the string constants in the one or more 

5 macro virus definition data files for each macro virus family. 

1 23. A method according to Claim 22, further comprising: 

2 applying a threshold to matches of commonly shared string constants. 

1 24. A method according to Claim 22, further comprising: 

2 designating a minimum length of commonly shared string constants. 
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1 25. A method according to Claim 17, further comprising: 

2 storing source code text common to each macro virus family in the macro 

3 virus attributes for the macro virus definition data files; and 

4 comparing the suspect string to the source code text in the one or more 

5 macro virus definition data files for each macro virus family. 

1 26. A method according to Claim 25, further comprising: 

2 applying a threshold to matches of commonly shared source code text. 

1 27. A method according to Claim 25, further comprising: 

2 defining a set of keywords used in the stored source code text identifying 

3 each replication method employed. 

1 28. A method according to Claim 17, further comprising: 

2 resetting the index referencing one or more of the macro virus definition 

3 data files for at least one macro virus family; and 

4 creating a new macro virus definition data file entry comprising an index 

5 referencing one or more macro virus definition files. 

1 29. A method according to Claim 28, further comprising: 

2 defining the macro virus attributes for the new macro virus definition data 

3 file entry by storing at least one of a string constant and source code text. 

1 30. A method according to Claim 17, further comprising: 

2 parsing macro virus attributes from one or more file objects; and 

3 analyzing the macro virus definition data files by index for each macro 

4 virus family. 

1 3 1 . A method according to Claim 30, further comprising: 

2 cross referencing at least one of a string constant and source code text 

3 from the parsed macro file attributes against the macro virus attributes defined in 

4 the virus definition data files. 

1 32. A method according to Claim 17, further comprising: 
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2 iteratively retrieving each macro virus definition data file using the index 

3 for each macro virus family; and 

4 providing the macro virus attributes defined in the retrieved macro virus 

5 definition data file. 

1 33 . A computer-readable storage medium holding code for performing 

2 the method according to Claims 17, 18, 19, 22, 25, 28, 30, or 32. 

1 34. A system for identifying a macro virus family using a macro virus 

2 definitions database, comprising: 

3 a macro virus definitions database comprising a set of indices and 

4 associated macro virus definition data files, further comprising: 

5 one or more of the macro virus definition data files referenced by 

6 the associated index with each macro virus definition data file defining macro 

7 virus attributes for known macro viruses; 

8 a macro family to which each of the sets of the indices and the 

9 macro virus definition data files belong; 

10 a macro virus checker comparing one or more strings stored in a suspect 

1 1 file to the macro virus attributes defined in the one or more macro virus definition 

12 data files for each macro virus family in the macro virus definitions database and 

13 determining the macro virus family to which the suspect file belongs from the 

14 indices for each of the macro virus definition data files at least partially 

1 5 containing the suspect file. 

1 35. A system according to Claim 34, further comprising: 

2 each macro virus family defined according to a replication method 

3 substantially common to each of the macro virus definition data files associated 

4 with one such index. 

1 36. A system according to Claim 34, further comprising: 

2 the macro virus definitions database storing at least one of string constants 

3 and source code text common to each macro virus family in the macro virus 

4 attributes for the macro virus definition data files; and 
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5 the macro virus checker comparing the suspect string to the at least one of 

6 the string constants and the source code text in the one or more macro virus 

7 definition data files for each macro virus family. 

1 37. A system according to Claim 36, further comprising: 

2 the macro virus checker applying a threshold to matches of at least one of 

3 commonly shared string constants and commonly shared source code text. 

1 38. A system according to Claim 36, further comprising: 

2 the macro virus checker designating a minimum length of commonly 

3 shared string constants. 

1 39. A method for identifying a macro virus family using a macro virus 

2 definitions database, comprising: 

3 maintaining a macro virus definitions database comprising a set of indices 

4 and associated macro virus definition data files, further comprising: 

5 referencing one or more of the macro virus definition data files by 

6 the associated index with each macro virus definition data file defining macro 

7 virus attributes for known macro viruses; 

8 organizing the sets of the indices and the macro virus definition 

9 data files according to macro virus families; 

10 comparing one or more strings stored in a suspect file to the macro virus 

1 1 attributes defined in the one or more macro virus definition data files for each 

12 macro virus family in the macro virus definitions database; 

1 3 determining the macro virus family to which the suspect file belongs from 

14 the indices for each of the macro virus definition data files at least partially 

1 5 containing the suspect file. 

1 40. A method according to Claim 39, further comprising: 

2 defining each macro virus family according to a replication method 

3 substantially common to each of the macro virus definition data files associated 

4 with one such index. 
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1 41 . A method according to Claim 39, further comprising: 

2 storing at least one of string constants and source code text common to 

3 each macro virus family in the macro virus attributes for the macro virus 

4 definition data files; and 

5 comparing the suspect string to the at least one of the string constants and 

6 the source code text in the one or more macro virus definition data files for each 

7 macro virus family. 

1 42 . A method according to Claim 4 1 , further comprising: 

2 applying a threshold to matches of at least one of commonly shared string 

3 constants and commonly shared source code text. 

1 43 . A method according to Claim 41 , further comprising: 

2 designating a minimum length of commonly shared string constants. 

1 44. A computer-readable storage medium holding code for performing 

2 the method according to Claims 39, 40, or 41 . 
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